Displaying 20 results from an estimated 44 matches for "sasl_mech".
2012 Jan 17
1
Samba 4 and GSSAPI kerberos ldap connect
Hi everyone
I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
moment, I authenticate by specifying the binddn and password in
/etc/nslcd.conf and all works fine
If I add the line:
sasl_mech GSSAPI
to /etc/nslcd.conf
and restart nslcd, no one can connect to the database. Nothing works.
ldapsearch and getent passwd draw a blank.
ldapsearch -x -b '' -sbase supportedSASLMechanisms
gives me:
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMe...
2007 Jan 11
1
Configuring Dovecot for use with Active Directory
...d another set of eyes to look at it (of course dovecot.conf should also be correct, but one thing at a time). Here's my dovecot-ldap.conf file:
hosts = 192.168.0.240
#uris =
dn = cn=<BINDUSER>,ou=IT,ou=Central Office,dc=<DOMAIN>,dc=local
dnpass = <>PASSWORD
#sasl_bind = no
#sasl_mech =
#sasl_realm =
#sasl_authz_id =
auth_bind = yes
#auth_bind_userdn =
ldap_version = 3
base = dc=<DOMAIN>, dc=local
deref = never
scope = subtree
#user_filter = (&(objectClass=posixAccount)(uid=%u))
#pass_attrs = uid=user,userPassword=password
#pass_attrs = uid=user,userPassword=password,h...
2012 Jul 12
2
nslcd service - "Client not found in Kerberos database"
Hi,
I am trying to configure the nslcd service on an Ubuntu client for kerberos
authentication against samba4. My /etc/nslcd.conf contains the following:
uid nslcd
gid nslcd
uri ldapi:///cofil01.mydomain.net
base dc=mydomain,dc=net
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/host.tkt
I have added the host principal "host/ubuntu-test.mydomain.net @
MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the client
by using ktutil. I have confirmed that the principals exist on both
machines by using klist -ke /etc/krb5.keyt...
2016 Oct 11
2
Problems with GSSAPI and LDAP
...cache:
FILE:/tmp/dovecot.krb5.ccache))
I have set the import_environment in dovecot.conf:
import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
And these in LDAP configuration:
dn = imap/host.example.com at EXAMPLE.COM
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example.com at EXAMPLE.COM
I have tried with different values in dn and sasl_authz_id and also
leaving them out completely but I always end up with the error message
above. Using simple bind without GSSAPI works just fine.
The credenti...
2011 Feb 02
1
LDAP and GSSAPI problems
...aving. Samba 4 has
recently changed to require binds. I need LDAP to verify users exist. I
am using Kerberos (GSSAPI) as the passdb. Samba can handle
GSSAPI/Kerberos SASL binds.
I have the following in my dovecot-ldap setup for userdb:
dn = smtp/mailhost.example.org at EXAMPLE.ORG
sasl_bind = yes
sasl_mech = GSSAPI
sasl_realm = EXAMPLE.ORG
sasl_authz_id = smtp/mailhost.example.org at EXAMPLE.ORG
Which gives me the following error.
Debug: ldap(trever): user search: base=dc=example,dc=org scope=subtree
filter=(&(objectClass=person)(|(mail=trever)(sAMAccountName=trever)(userPrincipalName=trever))...
2019 Aug 15
2
SASL: encoded packet size too big
> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote:
>
>
> The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail).
> sasl_bind = yes
> sasl_mech = gssapi
> tls = yes
>
> Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi).
> https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/
>
> With `...
2016 Oct 11
2
Problems with GSSAPI and LDAP
...ovecot.conf:
>>
>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>>
>> And these in LDAP configuration:
>>
>> dn = imap/host.example.com at EXAMPLE.COM
>> sasl_bind = yes
>> sasl_mech = gssapi
>> sasl_realm = EXAMPLE.COM
>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>>
>> I have tried with different values in dn and sasl_authz_id and also
>> leaving them out completely but I always end up with the error message
>> above. Using simpl...
2006 Jan 26
3
ldap not using kerberos (winbind rid idmap)
...EP is fine
too. In fact ldap even asks for available SASL mechanisms. After some
negotiation it _successfully_ binds using GSS SPNEGO. But.. even after this
successfully established encrypted bind it keeps querying in plain text. Is
there anything I can do about it?
For testing purposes I set "sasl_mech gssapi" in my ldap.conf but that
didn't have any impact at all.
regards, Roman
2019 Aug 15
2
SASL: encoded packet size too big
...at open-xchange.com> wrote:
>
> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org>
> wrote: The next combination of parameters makes 100% LDAP
> connections unsuccessful (the log snippet form the previous
> mail). sasl_bind = yes sasl_mech = gssapi tls = yes Looks like
> this combination is utterly incorrect and should be prohibited
> (tls must not be used when mech is gssapi).
> https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/...
2019 Aug 14
2
SASL: encoded packet size too big
Hello!
Dovecot uses it's own SASL implementation, doesn't it?
Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536)
Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: ldap://ipa2.example.com
Aug 14 23:45:23 example.com
2016 Oct 11
2
Problems with GSSAPI and LDAP
..._ERROR LISTEN_PID
>>>> LISTEN_FDS
>>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>>>>
>>>> And these in LDAP configuration:
>>>>
>>>> dn = imap/host.example.com at EXAMPLE.COM
>>>> sasl_bind = yes
>>>> sasl_mech = gssapi
>>>> sasl_realm = EXAMPLE.COM
>>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>>>>
>>>> I have tried with different values in dn and sasl_authz_id and also
>>>> leaving them out completely but I always end up with the e...
2012 Jan 15
3
Samba 4 ldb_wrap open of idmap.ldb
...userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group uniqueMember member
#map group gidNumber gid
#sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Thanks
Steve
2010 Mar 31
3
Dovecot+LDAP issues
...-------------
#Servidor
hosts = gold.example.com extra.example.com
tls = yes
ldap_version = 3
base = ou=people,dc=example,dc=com
scope = onelevel
#uid/gid
user_global_uid = 5000
user_global_gid = 5000
#Bind para ler coisas
dn = cn=dovecot,ou=people,dc=example,dc=com
dnpass = secret
sasl_bind = no
sasl_mech =
#passdb: usar password lookups para autenticar utilizadores
auth_bind = no
pass_attrs = userPassword=password
#, =userdb_home=/home/vmail/%d/%n
pass_filter = (&(maildrop=%u)(mailacceptinguser=1))
default_pass_scheme = PLAIN-MD5
---------------------------------------------------------...
2019 May 08
2
Dovecot not surviving OpenLDAP restart
Hi!
Running Dovecot 2.2.36 and authenticating against
an OpenLDAP 2.4.45 server.
Now since some update of dovecot it will not be able to authenticate
your logins after a restart of the LDAP service is restarted
without a reboot of the dovecot server.
Anything new here that I should be aware of?
Best Regards
Dag
2014 Oct 05
1
What is wrong with my nslcd configuration?
...or can cause errors and can/must be removed)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
map group member member
# Kerberos
#sasl_mech GSSAPI
#sasl_realm CORP.OFLAMEO.COM
#krb5_ccname /tmp/nslcd.tkt
# The LDAP protocol version to use.
#ldap_version 3
# LDAP bind (Account in AD that is used from nslcd to bind to the directory)
binddn cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com
bindpw icanread33#
# The DN used for password...
2013 Oct 26
2
lost with AD auth
...red nslcd:
grep ^[^#] /etc/nslcd.conf
->
uid nslcd
gid nslcd
uri ldap://serveur.radiodjiido.nc
base DC=radiodjiido,DC=nc
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
sasl_mech GSSAPI
sasl_realm RADIODJIIDO.NC
krb5_ccname /tmp/nslcd.tkt
checking that k5start is well running:
ps ax | grep k5
->
2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o
nslcd -K 540 -k /tmp/nslcd.tkt
klist
->
Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
Default principal:...
2019 Aug 14
0
SASL: encoded packet size too big
The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail).
sasl_bind = yes
sasl_mech = gssapi
tls = yes
Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi).
https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/
With `tls = no` errors `encoded pack...
2007 Aug 15
0
Dovecot on OpenBSD stalls
...: /etc/dovecot-ldap.conf
userdb:
driver: passwd
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: _postfix
group: _postfix
/etc/dovecot-ldap.conf
hosts = xxx.xxx.xxx.xxx:389
#uris =
#dn =
#dnpass =
#sasl_bind = no
#sasl_mech =
#sasl_realm =
#sasl_authz_id =
#tls = no
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=koelewijn,dc=bz
#ldap_version = 2
base = dc=bz
#deref = never
#scope = subtree
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
#user_filter = (&(objectClass=posixAccount)(uid=%u))
#pass_...
2012 Feb 12
0
Samba 4 no longer accepts SASL GSSAPI?
..._wrap open of secrets.ldb
GSS server Update(krb5)(1) Update failed: An unsupported mechanism was
requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
The call is from here:
base dc=hh3,dc=site
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
There is a ticket cache in /tmp/krb5cc_0
A conventional bind works fine.
Thanks,
Steve
2013 Sep 23
0
can't dovecot tls/ssl to openldap
...or userdb {} section in
# conf.d/auth-ldap.conf.ext
# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts = ldap.sv.hm
#uris = ldaps://ldap.sv.hm:636/
uris = ldap://ldap.sv.hm:389/
dn = cn=dovecot,ou=bindusers,dc=smuy,dc=net
dnpass = 1qaz2wsx
#sasl_bind = no
#sasl_mech =
#sasl_realm =
#sasl_authz_id =
# Use TLS to connect to the LDAP server.
tls = yes
#tls = no
tls_ca_cert_file = /etc/ssl/certs/ca/signing-ca.crt
tls_ca_cert_dir = /etc/ssl/certs/ca
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_...